Add extra nil checks on cert.Leaf just in case

As follow-up to previous commits

Author: mholt

certificates.go

@@ -87,6 +87,14 @@ func (cert Certificate) NeedsRenewal(cfg *Config) bool {
 // call it again to see if the cert in storage still needs renewal -- you probably don't want
 // to log the second time for checking the cert in storage which is mainly for synchronization.
 func (cfg *Config) certNeedsRenewal(leaf *x509.Certificate, ari acme.RenewalInfo, emitLogs bool) bool {
+	// though this should never happen, safeguard to avoid panics which happened before (since patched; but just in case)
+	if leaf == nil {
+		if emitLogs {
+			cfg.Logger.Error("cannot check if nil leaf cert needs renewal")
+		}
+		return false
+	}
+
 	expiration := expiresAt(leaf)
 
 	var logger *zap.Logger

handshake.go

@@ -561,6 +561,9 @@ func (cfg *Config) handshakeMaintenance(ctx context.Context, hello *tls.ClientHe
 		zap.String("server_name", hello.ServerName))
 
 	renewIfNecessary := func(ctx context.Context, hello *tls.ClientHelloInfo, cert Certificate) (Certificate, error) {
+		if cert.Leaf == nil {
+			return cert, fmt.Errorf("leaf certificate is unexpectedly nil: either the Certificate got replaced by an empty value, or it was not properly initialized")
+		}
 		if cfg.certNeedsRenewal(cert.Leaf, cert.ari, true) {
 			// Check if the certificate still exists on disk. If not, we need to obtain a new one.
 			// This can happen if the certificate was cleaned up by the storage cleaner, but still